- CentOS 7.2.1511
- Linux 3.10.0-123.9.3.el7.x86_64
- MariaDB:10.1.11
/etc/my.cnf
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
[mysqld]
ssl
ssl-ca = /root/ca.pem
ssl-cert = /root/server-cert.pem
ssl-key = /root/server-key.pem
bind-address = 0.0.0.0
port = 3306
max_allowed_packet = 16M
[mysqldump]
max_allowed_packet = 16M
我使用命令启动了 mariadb:
systemctl start mysql
然后我使用 root 登录 mysql,输入status显示 SSL Not in use。然后我输入
show variables like '%ssl%';
我得到一张表格:
+---------------------+---------------------------------+
| Variable_name | Value |
+---------------------+---------------------------------+
| have_openssl | YES |
| have_ssl | DISABLED |
| ssl_ca | /root/ca.pem |
| ssl_capath | |
| ssl_cert | /root/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /root/server-key.pem |
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 |
+---------------------+---------------------------------+
最后我甚至尝试使用 ssl 登录,但显然失败了。
更新
以下是错误日志文件中的一些警告消息:
[Warning] Failed to setup SSL
[Warning] SSL error: SSL_CTX_set_default_verify_paths failed
[Warning] SSL error: error:0200100D:system library:fopen:Permission denied
[Warning] SSL error: error:2006D002:BIO_new_file:system lib
[warning] SSL error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
答案1
MariaDB 不允许访问 root 主目录中的文件/root。因此,CA、证书和私钥文件不可读。
在 RHEL 上,这些文件的标准位置位于 、 和 下的目录/etc/pki中/etc/pki/CA。/etc/pki/tls/certs如果/etc/pki/tls/private您复制在此处设置适当的所有权和权限,以便 MariaDB 可以读你会发现它起作用了。或者,你可以将证书和私钥文件放在 的子目录中/etc/mysql。